Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Lookup issues

ipops
Path Finder
‎08-26-2016 03:28 AM

Having issues getting the NANP app to work (https://splunkbase.splunk.com/app/1515/)

I have the following search but it does not return any lookup fields

sourcetype=ivrdata | eval {message}=varValue | stats first(LogTimestamp) as Time values(Phone) as phone values(Platform) as Platform by IVR_SessionID | WHERE Platform="FWA" | table areacode city latitude longitude

This search returns a phone number in the 1234567890 format as the "phone" field. Any idea what I am doing wrong here?

Here are the relevant files

props.conf

[ivrdata]
LOOKUP-ac = AreaCodeLookup areacode AS phone OUTPUTNEW city country latitude AS _lat longitude AS _lng region
REPORT-ac = getareacode

transforms.conf

[getareacode]
REGEX = phone_no="?(\d{3}\d{3})
FORMAT = areacode::$1

Sample of areacode_latitude_longitude.csv

areacode,city,region,country,latitude,longitude
201200,Jersey City,NJ,US,40.7280556,-74.0780556
201202,Hackensack,NJ,US,40.8858333,-74.0438889
201203,Hackensack,NJ,US,40.8858333,-74.0438889
201204,Jersey City,NJ,US,40.7280556,-74.0780556

Tags (1)
0 Karma
Reply

ipops
Path Finder
‎08-26-2016 08:20 AM

I have removed and reinstalled the NANP app.

It's expecting a phone number in xxx-xxx format

transforms.conf
[getareacode]
REGEX = phone_no="?(\d{3}[-|.]\d{3})
FORMAT = areacode::$1

props.conf
[ivrdata]
LOOKUP-ac = AreaCodeLookup areacode AS phone_no OUTPUTNEW city country latitude AS _lat longitude AS _lng region
REPORT-ac = getareacode

Using the following search but it's not returning any lookup data

sourcetype=ivrdata | WHERE IVR_Message="Phone" | rename IVR_Value AS phone_no | rex field=phone_no mode=sed "s/(\d{3})(\d{3})(\d{4})/\1-\2/g" | table phone_no city country latitude longitude region

any ideas where I am going wrong?

alt text

Preview file
33 KB
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...